Opened 3 years ago

Closed 3 years ago

#27 closed defect (fixed)

Crin2 certificate access

Reported by: peter Owned by: chris
Priority: major Milestone: Maintenance
Component: crin2 Version:
Keywords: Cc:
Estimated Number of Hours: 0 Add Hours to Ticket: 0
Billable?: yes Total Hours: 0.17

Description

When attempting to use Drush, when not root, we are not able to access the certificate.

SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem'

How should we manage access to certificates?
Should we create a developers group?

Change History (3)

comment:1 in reply to: ↑ description Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.15
  • Component changed from backups to crin2
  • Total Hours set to 0.15

Replying to peter:

When attempting to use Drush, when not root, we are not able to access the certificate.

SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem'

Ah ha! This could explain the problems I have documented here:

How should we manage access to certificates?
Should we create a developers group?

I don't think it is a big security issue if all users on the server have access to the CAcert certs so I have done this on both servers (perviously they were only readable by root and mysql:

chmod 755 /etc/ssl/cacert
chmod 644 /etc/ssl/cacert/*.pem

I'd also be happy to restrict permissions if you think it is necessary, these certs and keys are used by MySQL and also non-public sites like the Munin stats to save on the cost of commercial certs, if you install the CAcert root certificates then you won't get browser security warnings.

Version 0, edited 3 years ago by chris (next)

comment:2 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.02
  • Total Hours changed from 0.15 to 0.17

See also ticket:18#comment:4 -- all users on Crin2 need a ~/.my.cnf containing:

[client]
host=crin1
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/ssl/cacert/cacert.pem
ssl-cert=/etc/ssl/cacert/crin1_cert.pem
ssl-key=/etc/ssl/cacert/crin1_yassl_privatekey.pem

For them to be able to use drush, I have created /var/www/.my.cnf so that the www-user user can be used for running drush commands.

Peter -- please close this ticket if you think the issue is resolved.

comment:3 Changed 3 years ago by peter

  • Resolution set to fixed
  • Status changed from new to closed

Yes, this is working.

Note: See TracTickets for help on using tickets.